starred/shannon-KeygraphHQ
1
0
Fork 0
mirror of https://github.com/KeygraphHQ/shannon.git synced 2026-04-25 09:35:55 +03:00
Code Issues 18 Projects Releases Packages Wiki Activity

[GH-ISSUE #48] Claude Code OAuth token usage after recent policy changes #13

New issue
Closed
opened 2026-02-27 07:19:59 +03:00 by kerem · 1 comment
kerem commented 2026-02-27 07:19:59 +03:00
Owner
Copy link

Originally created by @vinnytwice on GitHub (Jan 14, 2026).
Original GitHub issue: https://github.com/KeygraphHQ/shannon/issues/48

Hi,

First of all, thanks for this great tool! I was planning to use Shannon to test my applications before deployment.

I noticed that Shannon supports both Anthropic API key and Claude Code OAuth token authentication. I was initially excited about the OAuth option since I have a Claude Pro subscription with unused Sonnet capacity.

However, I recently became aware of Anthropic's enforcement regarding OAuth token usage being restricted to Claude Code itself. This raises some concerns about whether using the OAuth token with Shannon is still compliant with Anthropic's terms of service.

Could you please clarify:

  1. Is using CLAUDE_CODE_OAUTH_TOKEN with Shannon still a supported/compliant authentication method?
  2. If not, are there any plans to adapt Shannon to work as a Claude Code extension (e.g., MCP server with full pentesting capabilities) rather than a standalone agent?
  3. Any other recommended approach for users who would prefer not to use pay-per-token API access?

Many thanks

Originally created by @vinnytwice on GitHub (Jan 14, 2026). Original GitHub issue: https://github.com/KeygraphHQ/shannon/issues/48 Hi, First of all, thanks for this great tool! I was planning to use Shannon to test my applications before deployment. I noticed that Shannon supports both Anthropic API key and Claude Code OAuth token authentication. I was initially excited about the OAuth option since I have a Claude Pro subscription with unused Sonnet capacity. However, I recently became aware of Anthropic's enforcement regarding OAuth token usage being restricted to Claude Code itself. This raises some concerns about whether using the OAuth token with Shannon is still compliant with Anthropic's terms of service. Could you please clarify: 1. Is using `CLAUDE_CODE_OAUTH_TOKEN` with Shannon still a supported/compliant authentication method? 2. If not, are there any plans to adapt Shannon to work as a Claude Code extension (e.g., MCP server with full pentesting capabilities) rather than a standalone agent? 3. Any other recommended approach for users who would prefer not to use pay-per-token API access? Many thanks
kerem closed this issue 2026-02-27 07:19:59 +03:00
kerem commented 2026-02-27 07:20:00 +03:00
Author
Owner
Copy link

@keygraphVarun commented on GitHub (Jan 18, 2026):

Hi,
Thanks for raising this.

  1. Is CLAUDE_CODE_OAUTH_TOKEN still a supported/compliant authentication method?
    Our primary recommended method is the Anthropic API key (ANTHROPIC_API_KEY). We'll make this more explicit in the README. Our hosted version strictly supports the Anthropic API key only, and that's been the case even before this change.
    We do still accept CLAUDE_CODE_OAUTH_TOKEN since the Claude Agent SDK (which Shannon is built on) accepts it via environment variable, and it still seems to be working. Based on our understanding, using OAuth tokens for your own Agent SDK apps running in your own environment (local, CI, internal tooling) is permitted. The restriction applies to third-party apps that distribute or proxy Claude.ai login to other users. Since Shannon is self-hosted and run by individuals for their own private testing, this use case should be fine. That said, we'll remove the option if/when Anthropic blocks or deprecates it.
    Of course, we're not in a position to provide guidance on ToS compliance. We'd encourage you to review Anthropic's terms directly and make your own judgment based on your specific use case.
  2. Any plans to adapt Shannon as a Claude Code extension / MCP server?
    No plans at the moment, but I've added it to our backlog. Thanks for the suggestion.
  3. Alternatives?
    Unfortunately not, outside of startup credits that Anthropic offers :)
<!-- gh-comment-id:3765003347 --> @keygraphVarun commented on GitHub (Jan 18, 2026): Hi, Thanks for raising this. 1. Is CLAUDE_CODE_OAUTH_TOKEN still a supported/compliant authentication method? Our primary recommended method is the Anthropic API key (ANTHROPIC_API_KEY). We'll make this more explicit in the README. Our hosted version strictly supports the Anthropic API key only, and that's been the case even before this change. We do still accept CLAUDE_CODE_OAUTH_TOKEN since the Claude Agent SDK (which Shannon is built on) accepts it via environment variable, and it still seems to be working. Based on our understanding, using OAuth tokens for your own Agent SDK apps running in your own environment (local, CI, internal tooling) is permitted. The restriction applies to third-party apps that distribute or proxy Claude.ai login to other users. Since Shannon is self-hosted and run by individuals for their own private testing, this use case should be fine. That said, we'll remove the option if/when Anthropic blocks or deprecates it. Of course, we're not in a position to provide guidance on ToS compliance. We'd encourage you to review Anthropic's terms directly and make your own judgment based on your specific use case. 2. Any plans to adapt Shannon as a Claude Code extension / MCP server? No plans at the moment, but I've added it to our backlog. Thanks for the suggestion. 3. Alternatives? Unfortunately not, outside of startup credits that Anthropic offers :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/npx-integration
Readme-Update
feat/telemetry
ctf-mode
v1.1.0
v1.0.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/shannon-KeygraphHQ#13
No description provided.